CVE-2016-1978

Impact:
Moderate
Public Date:
2016-03-08
Bugzilla:
1315565: CVE-2016-1978 nss: Use-after-free in NSS during SSL connections in low memory (MFSA 2016-15)
A use-after-free flaw was found in the way NSS handled DHE (Diffie–Hellman key exchange) and ECDHE (Elliptic Curve Diffie-Hellman key exchange) handshake messages. A remote attacker could send a specially crafted handshake message that, when parsed by an application linked against NSS, would cause that application to crash or, under certain special conditions, execute arbitrary code using the permissions of the user running the application.

Find out more about CVE-2016-1978 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v2 metrics

Base Score 5.1
Base Metrics AV:N/AC:H/Au:N/C:P/I:P/A:P
Access Vector Network
Access Complexity High
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux 5 (nss) RHSA-2016:0684 2016-04-25
Red Hat Enterprise Linux 7 (nss) RHSA-2016:0685 2016-04-25
Red Hat Enterprise Linux 6 (nss) RHSA-2016:0591 2016-04-05

Acknowledgements

Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Eric Rescorla as the original reporter.

External References

Last Modified
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.